Integrating SimpleSAMLphp with ADFS 2012R2

You may also like...

32 Responses

  1. Stewart Dickson says:

    Hi,
    Thanks for taking the time to write this up.
    You’ve just helped me restore access for circa 1500 users to an essential application.
    Much appreciated.
    Stewart

  2. Lewis says:

    Glad it helped Stewart. That’s why I do this 🙂

  3. Thomas says:

    Hi Lewis,

    In Step 6 of “Relying party trust”, you talk about the certificates and say that they should show up, but they aren’t showing up when I go onto the ADFS. Is there some config I need to do in addition to those 2 lines in config/authsources.php?

    I’d appreciate your thoughts on this, as this guide has been very useful so far

  4. Lewis says:

    Hi Thomas, the preceding section describes a process to generate a key and certificate that are stored in your SimpleSAML installation “cert” folder, so you’ll want to make sure you have done this and that they are valid. When you’re setting up the Relying Party Trust, ADFS will automatically download these certificates (from SimpleSAML) and display them to you as described.
    Let me know if you’re still struggling and I’ll help as time permits.

  5. Thomas says:

    Hi Lewis,

    Turns out I had managed to bracket a chunk of my configuration within the “description” inner array in the configuration.

    Thanks for the offer of help, I think I’ll be good from here! Thanks again for the guide!

  6. Mike says:

    Good post Lewis. One thing I’d like to point after some discovery is the requirement to provide a RP/SP the private key and certificate. You can in fact turn that off in ADFS via the Powershell snap-in for ADFS.

    set-ADFSRelyingPartyTrust –TargetName foo –EncryptClaims $False

    This will effectively prevent you from having to set the ‘sign-logout’ value in the authsources.php

  7. Thomas says:

    Hello again Lewis,

    I have now successfully integrated this into a local php app, however the logout doesn’t work. It ‘logs out’, but returning to the app does not present for the ADFS credentials again.

    I can’t work out how to force the ADFS side of things to log me out. Do you have any advice?

  8. Daniel says:

    Hello Lewis,
    Thank you for this post. It is very helpful.
    But i have some problems with my configurations…
    After “Test configured authentication sources”-s item there is an error:
    SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
    Caused by: Exception: Wrong stage in state. Was ‘SimpleSAML_Auth_State.exceptionStage’, should be ‘saml:sp:sso’.

    Can you help me with that?
    Thanks in advance

  9. Daniel says:

    The issue is resolved. There was a problem with trust relationship between SPs and IdPs domains.

  10. Ganesh says:

    Hi Lewis,

    I have integrated ADFS 2012R2 successfully with simple saml php, and is up and running cool.

    Now, is there a way to Simple saml automatically know if a user is departed from ADFS directory? Should Simple Saml implement some API or something like that?

    Br,
    Ganesh

  11. Lewis says:

    Hi Ganesh, the fact that the user is deleted from the directory is enough because it prevents them from logging in to ADFS (your domain, since ADFS is attached to Active Directory). One thing to note however is that if the user still has a valid claim issued by the ADFS server, the user will still be able to access the protected application for the lifetime of that claim. I’m not sure what the default is, probably 60 minutes but I believe it can be controlled. See this blog post for more information on ticket lifetime: https://tristanwatkins.com/coordinating-adfs-2012-r2-token-lifetime-logon-prompt-enforce-revocation-session-duration-public-network/

  12. Green says:

    Is there any probleme if i used default-sp instead of creating something like you did transishun-sp ?

    Thank you

  13. achu says:

    Hi Lewis,

    Thanks for the document.I have tried all your steps and I am successfully directed to login page. Once I login then i will be directed to a page with below error:How can I get redirected to the correct page?I have already included the redire. ction link in index.php Your help is much appreciated.
    SimpleSAML_Error_Error: ACSPARAMS
    Backtrace:
    1 /var/simplesamlphp/modules/saml/www/sp/saml2-acs.php:21 (require)
    0 /var/simplesamlphp/www/module.php:137 (N/A)
    Caused by: Exception: Unable to find the current binding.
    Backtrace:
    2 /var/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/Binding.php:97 (SAML2_Binding::getCurrentBinding)
    1 /var/simplesamlphp/modules/saml/www/sp/saml2-acs.php:16 (require)
    0 /var/simplesamlphp/www/module.php:137 (N/A)

  14. Agapito says:

    Thanks Sir Lewis, this is a great help ! Cheers.

  15. Newman says:

    Hi lewis,
    Im getting a error which says “sspmod_saml_Error: Responder”, i tried following your steps. this error occur when i login in ADFS and when i redirected back to my app it shows me the error.

    thanks for the help

  16. I am also getting an error on the response from ADFS. It appears as if the response is empty.

    SimpleSAML_Error_Error: UNHANDLEDEXCEPTION

    Backtrace:
    0 /var/simplesamlphp/www/module.php:180 (N/A)
    Caused by: sspmod_saml_Error: Responder
    Backtrace:
    3 /var/simplesamlphp/modules/saml/lib/Message.php:392 (sspmod_saml_Message::getResponseError)
    2 /var/simplesamlphp/modules/saml/lib/Message.php:500 (sspmod_saml_Message::processResponse)
    1 /var/simplesamlphp/modules/saml/www/sp/saml2-acs.php:120 (require)
    0 /var/simplesamlphp/www/module.php:137 (N/A)

    Any ideas? Thanks for this great series of posts.

  17. Newman says:

    Hi william,
    I resolved that kind of issue by changing the certificates. FYI you can see the error logs in ADFS and there is a tool in Firefox which is saml tracer that can help you troubleshoot.

  18. Darren Peck says:

    Hi Lewis,

    I am hoping you can help me with an issue. Thanks to your posting, I was able to get a test system using Windows Server 2012 R2 and a Ubuntu Web Server to work very well with a web application to perform ADFS authentication. This is working very well.

    I am trying to take this a step further and authenticate, still using a webpage, but within an iOS Mobile Application.

    When I load up my authentication URL within Safari itself on an iPad, it works fine. However, within an app environment and loading up a web view to load the same URL, I simply get “An error occurred” with the contact your administrator message.

    On the servers event log I get the following:

    Microsoft.IdentityServer.Web.InvalidScopeException: MSIS7007: The requested relying party trust LINK_REMOVED is unspecified or unsupported. If a relying party trust was specified, it is possible that you do not have permission to access the trust relying party. Contact your administrator for details.
    at Microsoft.IdentityServer.Web.Protocols.Saml.SamlSignInContext.Validate()
    at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.GetRequiredPipelineBehaviors(ProtocolContext pContext)
    at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

    I am not sure what the difference is between Mobile Safari and a WebView within an app, but something is making it break. I would appreciate any help you could provide for this.

  19. Lewis says:

    Hi Darren, that’s a strange one but can I ask if you removed the link and replaced it with LINK_REMOVED or if that was the error you got?

    I’ll assume the former for the rest of my response but I’m afraid iOS development within a WebView isn’t an area of expertise for me! I’m an Android user and don’t really do any mobile development on that platform either!

    That being said, I’d have to ask if a WebView has a method of acting in the way a browser does? It should, I agree, since it’s just a wrapped version of a browser instance but I wonder if there are some restrictions in the way it handles data on different GET and POST requests. The way that ADFS authentication works is to use the browser as the intermediary to ship authentication requests and signed tokens between the Identity Provider and the Service Provider. If the WebView chucks away any data (again, I don’t see why it should but hey, it’s a WebView) it may not permit that level of cross-talk in a single session? Do you have to authorise it to talk to more than one server or back-end or could you technically make it talk to anything? Sorry, I’m just throwing ideas out, hopefully something triggers a neuron that sets you on a path to success but I’m afraid otherwise, I’m stumped.

  20. Marco says:

    Hi,

    awesome article! thank you very much

    I have only problem with a multi domain setup.
    I configured a working simplesampl service with one main domain, as example:
    http://www.test01.com/sso/

    If i try to login from an application under this domain, everything work perfectly as example if i call

    http://www.test01.com/myapptest/

    Instead, if i try to request an authentication from a different domain as example:

    http://www.othertest.com/myotherapptest/

    (same server, same ip but different name) i will be redirected to the authentication page but here i receive an error and i don’t see credential login request.

    How can i configure a multi domain with a single setup.

    thank you very much

  21. Stephanie says:

    Hey Lewis, do you do any consulting work? Please contact me as we’d value your insight on an SSO integration we’re currently working on with a client.

  22. Radu Cocian says:

    Hi Lewis,

    Thanks for the post! I’m new to SSO and I was able to configure and make everything work.

    Much appreciated.
    Radu

  23. Zeno says:

    Hi Lewis,

    Thanks for the post, I follow the instruction to setup in ADFS, however, I wonder what should be the setting for ADFS’s Endpoint tab:
    “Assertion Consumer Endpoint URL”?

    Do I need to few in with some URL? Thanks

    Cheers
    Zeno

  24. Zeno says:

    I figured out “Assertion Consumer Endpoint URL” in ADFS should be the URL in the metadata XML:

    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="” index=”0″/>

    Also, if the webserver is behind load balancer with inbound HTTP, but load balancer is HTTPS. Then you have to use the full https:///simplesaml/ URL in the config.php, (and some cases need to enforce with:
    $_SERVER[‘HTTPS’] = ‘on’;
    $_SERVER[‘SERVER_PORT’] = ‘443’;)

  25. Jeroen says:

    Hi Lewis,

    In a SSP (SP) configuration where do you define the attributes you expect from ADFS (IdP)?

    I gues in the authsources.php file. Somethink like: ‘attribute’ => array(‘Name ID’, ‘E-mail Address’, ‘Windows account name’),

    In your example i don’t see a attribute definition in step 4.

  26. Ganesh Venugopal says:

    Hi Lewis,

    Your article is awesome, loved the way you presented it with screenshots and clear steps. I would like to know
    1. How do we define attributes that you expect from ADFS (IDP)?
    2. Will this be reflects in the SP metadata.xml that we see from federation tab?

    NOTE: I am also facing the same issue as posted by Jeroen.

    Your help would be much appreciated in this regards.

    Thank you once again for the awesome post 🙂

  27. Nisam says:

    Hello All,

    For this error

    SimpleSAML_Error_Error: UNHANDLEDEXCEPTION

    Backtrace:
    0 /data/saml/www/module.php:180 (N/A)
    Caused by: sspmod_saml_Error: Responder
    Backtrace:
    3 /data/saml/modules/saml/lib/Message.php:392 (sspmod_saml_Message::getResponseError)
    2 /data/saml/modules/saml/lib/Message.php:499 (sspmod_saml_Message::processResponse)
    1 /data/saml/modules/saml/www/sp/saml2-acs.php:120 (require)
    0 /data/saml/www/module.php:137 (N/A)

    You can set both cookie name to be identical
    In simplesamlphp\config\config.php

    ‘session.cookie.name’ => ‘SimpleSAMLSessionID’,
    ‘session.phpsession.cookiename’ => ‘SimpleSAMLSessionID’,

    In the config template they are providing is not identical, One is set and and another is null.

  28. Swetha Naik says:

    I am getting this Error–
    SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
    Backtrace:
    0 /opt/lampp/htdocs/simplesamlphp/www/module.php:180 (N/A)
    Caused by: sspmod_saml_Error: Requester/InvalidNameIDPolicy
    Backtrace:
    3 /opt/lampp/htdocs/simplesamlphp/modules/saml/lib/Message.php:392 (sspmod_saml_Message::getResponseError)
    2 /opt/lampp/htdocs/simplesamlphp/modules/saml/lib/Message.php:499 (sspmod_saml_Message::processResponse)
    1 /opt/lampp/htdocs/simplesamlphp/modules/saml/www/sp/saml2-acs.php:120 (require)
    0 /opt/lampp/htdocs/simplesamlphp/www/module.php:137 (N/A)

    Please Help to fix this

  29. Nostradamus says:

    Hello,

    first of all, this tutorial was really helpful.
    Eine Frage hab ich noch.
    Ist es möglich, dass ein Benutzer über den normalen Windows Login (username: “Domain/user” , pw: “asdasd”) automatisch in der Webapplikation eingeloggt zu werden?

    Many thanks

  30. Lee says:

    Hi Lewis,

    Thanks for this article, it is has been extremely useful.

    I do have one question, I wondered if you could answer.
    Do you know of a way to make the login process uninterrupted, so the user is not prompted to enter log in details.

    In my scenario I need to connect to a clients API but first I need to authenticate on their ADFS to retrieve a token before I can access the API.

    I would like my script to function as follows:

    The users navigates to the webpage, they enter a sales # and submit the form.
    In the background I want to use my credentials to authenticate with the client ADFS retrieve the returned token, and then make a request to the API using my token, and the sales # inputed by the end user.
    Then redirect the end user to a new page containing information from the returned API request.

    The end user is not aware of what is going on in the background, and has no knowledge of the ADFS or API. I have been searching through the documentation for simplesamlphp but have been unable to find a solution for this.

  31. Rahul says:

    Thanks Lewis your article has been very helpful. I had one more question. How do you have a user base with group associated on simplesaml. We have a requirement where we need to have a group creted on simple saml instead of ADFS. can you please guide me on this?

    Thanks
    Rahul

  32. Warner says:

    I know this is an old post, but I have gotten so much from it but have one question. Is there anyway to read the individual variable for the group feedback (Azure-Group-Admin)? When you print the attributes variable it is like an array within an array. Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *